Cyber Crime: Are You Reporting Attacks on Your Business?
While statistics show that cybercrime is on the rise, they also show that few people are reporting it.
According to the latest reports, cybercrime is up 63%. And while fraud and computer misuse have decreased, incidents involving malware are definitely on the rise. While these statistics show some of the problems encountered by businesses, it is still unknown how it is really impacting as not all those are falling victim to these crimes are reporting the incidents.
The main reason for this seems to point to misconceptions about what reporting these crimes, according to Mike Hulett, head of operations for the National Cyber Crime Unit (NCCU) which leads the UK law enforcement’s response to cybercrime at the National Crime Agency (NCA).
Whether it is due to lack of faith in how the agency can actually help on a law enforcement level, the failure to see the benefits of reporting, the worry that the incident is too small for police to care, the admission that your cyber defences have failed, or the concerns of investigations that could hamper business operations or worse shut it down. Reporting such crimes can be beneficial to not only your business but other businesses in the future.
With the increase of insurance companies offering cyber insurance, reporting such crimes is beginning to become incentivized, much like most other kinds of crimes. Insurance companies will require a case number.
Hulett stresses the need for all businesses to report these crimes, “We want all victims of cybercrime to report. Who you are and what has happened is going to affect the scale and nature of the response, but there is no cut-off in terms of the size of the organisation affected. We want everybody to report, regardless of how large or small the organisation.” No organisation is immune to an attack, from the smallest to the largest, anyone can fall victim.
Although it can take weeks or months to discover a cyber attack, there are some instances where you know about the attack immediately. Distributed denial of service (DDoS) attacks, ransomware and other types of extortion can be happening right before your eyes. Hulett stresses the importance of reporting these immediately, “Report as soon as possible, particularly if it is a crime in action. We have much more chance of being able to help and of being able to catch the criminals responsible if the crime is reported to us while it is taking place.”
How to report?
While the new General Data Protection Regulation (GDPR) and the GDPR aligned laws in the UK may make it seem like a complicated process, it is not as difficult as it seems. Hulett explained that lots have been done recently to ensure coordination and communication once a report has been made and that where ever you report the crime, the right authorities will deal with the case.
“While there are different law enforcement agencies involved behind the front door, it doesn’t matter which front door you go through, whether that is the UK's national fraud and cybercrime reporting centre Action Fraud, the National Cyber Security Centre or the local police force. Action Fraud is still the main point for reporting cybercrime, but it is now a 24/7 service either through a call centre or an online reporting tool.
“Previously people have been put off by the fact that it was available only at certain times of the day, but now it is available whenever people have the opportunity to report cyber crime or if a business wants to report a crime in action that is happening very late at night or early in the morning.”
Hulett also advises that for crimes in action that are reported outside of normal office hours, these cases will be referred to the most appropriate agencies, advising that in these cases the call centre should be used rather than the online reporting tool.
Why you should report
As with any other type of criminal activity, you are a victim of a crime and you are entitled to a law enforcement response. “This alone is a good reason to take what help and advice is freely on offer from law enforcement,” Hulett says.
Organisations may be nervous that reporting an incident will draw more publicity to the incident than it otherwise would Hulett assures that this is not the case, “While it is up to the company involved to manage the media where there is a public security breach, they do not have to worry that law enforcement will exacerbate the situation by publicising something that is not already in the public domain,
“Our goal is also to ensure there are consequences for criminals because cybercrime is still seen as a low risk, high reward environment and we need to change that perception by arresting and prosecuting people, and the more cyber crimes that are reported, the greater our chances of catching the relatively few people out there who are enabling cybercriminal activities.”
Another important reason for reporting cybercrime is that it allows law enforcement agencies to gather more evidence about the type of activity being carried out and to utilise this in other cases.
“Even if a company decides they do not want to support a prosecution, there is still value in engaging with us so we can see what has happened to the company and how it has been done to build up an aggregated intelligence picture across a number of incidents,” says Hulett.
“The same approach is used with traditional crime. Most burglars don’t get caught based on evidence at a single crime scene. Typically they get caught because police are able to build up a profile from evidence gathered across several crime scenes.”
What will happen?
Although it can seem nerve-racking reporting an incident, knowing what will happen once you have reported a cyber attack can make the process easier.
Hulett explains the first thing to understand about the process is that everyone will not get an instant response to a report.
Law enforcement has to prioritise cases, much like other crimes. Factors like crimes in action, or crimes that meet a certain threshold in terms of attack type, size and the impact of the attack are going to be given top priority and referred to the NCA. Historical and low-level incidents will be referred to the relevant police forces for investigation by themselves.
“If for example, a company were to call Action Fraud to report an active ransomware attack in which their systems have been encrypted so that they can’t do anything, Action Fraud would pass it straight on to the NCA’s central TICAT [triage, incident coordination and tasking] team to decide on the most appropriate response,” says Hulett.
“In a live ransomware scenario, the affected company would get a call from our TICAT team to get as much information as possible about the incident, including details of what systems have been affected and if there has been any contact from those behind the ransomware.”
Advice will still be given to those choose not to file an official crime report, Hulett explains, however, a forensic team will not be sent out. By reporting the incident as a crime you also help to improve the official statistics around these types of incidents.
Hulett explains the next steps of the process is to gather more information if you have decided to cooperate with law enforcement. This will include information being gathered about key employees and where the firm’s hardware is located so that these can be imaged to capture any available evidence in the least disruptive way.
“We fully recognise that they are victims of crime and that companies’ priority is to get their business up and running as soon as possible so we try to deal with that as sensitively as we can, but at the same time businesses need to understand the importance of imaging servers as soon as possible before the evidence is gone,
“If those behind the ransomware have contacted the targeted organisation, it opens up the opportunity for law enforcement to engage with them covertly to try to work out who they are with a view to identifying and arresting them to face prosecution,” explains Hulett.
It is important to understand that cybercrime investigators will only image the systems to capture evidence. They will not rebuild affected systems or install new servers.
Hulett also eases the concerns around the incident going public, as this can be a concern for reporting a cybercrime. This can also make people hesitant to answer the relevant questions asked by law enforcement surrounding the lack of security controls they may have had in place.
“We will not go public about an incident or share any information with regulators that is not already publicly known about, but we will advise them to report to the appropriate regulators as soon as possible and we will advise them when it is appropriate to warn customers of a potential breach because they may be subject to direct or secondary fraud, but ultimately it is the company’s decision,” says Hulett.
There are Still Positives...
While there has been an increase in cybercrime, there are a growing number of companies setting good examples when it comes to acting on attacks and reviewing their security on an ongoing basis according to the NCA.
“More organisations are also waking up to the fact that physical security and personnel security are linked to cybersecurity and that there is no point in doing all these things separately,” says Hulett. Cyber insurance is also becoming an interesting aspect of a business, covering the costs of getting systems back up and running following a cyber attack.
“Cyber insurance is growing in popularity, and if it is something that encourages general good cyber security practice and increased cybercrime reporting to law enforcement, then we would support that, but companies need to ensure that cyber insurance does not result in a false sense of security and that they are doing everything that they can to prevent a cyber attack and to recover if one occurs.”
And with a growing number of cyber attacks being reported in the news, more people are aware of what can happen. This is having a positive effect on companies who are seeing the importance of investing in appropriate cybersecurity. The introduction of GDPR is also having a further effect, as companies have new guidelines to follow regarding customer and clients information.
If you are looking for more information on how to back up your system for your business or providing training for your employees surrounding possible attacks, get in touch with us at Xenace today.